没有认证春季安全授权 [英] Spring security authorization without authentication

问题描述

我有一个Java JSF 2，春季3，4休眠它使用一个第三方库对用户进行验证的Java EE应用程序。我进口所需的CA证书到我的JVM，增加了第三个库项目，并在web.xml中配置。该库读取智能卡用户的详细信息。这整个安装程序正在运行，且用户通过第三方库带到主页。

I have a Java JSF 2, Spring 3, Hibernate 4 Java EE Application which uses a third party library to authenticate the users. I imported the required CA certs into my JVM, added the third library to the project and configured in web.xml. The library reads the users details from smart card. This whole setup is working and users are taken to the home page by the third party library.

下面是我的要求，以确保应用程序。

Here are my requirements to secure the application.

• 检查一次，如果用户在应用程序中的特定数据库中存在


• 从应用程序数据库中获取该用户的角色


• 保护我的JSF页面


• 保护我的应用服务

我看了看这个链接，它似乎AuthenticationProcessingFilter是德precated，而不是适用于春季3！

I looked at this link and it seems "AuthenticationProcessingFilter" is deprecated and not applicable for Spring 3!

<一个href=\"http://$c$crsatwork.word$p$pss.com/2010/02/13/use-spring-security-for-authorization-only-not-for-authentication/\" rel=\"nofollow\">http://$c$crsatwork.word$p$pss.com/2010/02/13/use-spring-security-for-authorization-only-not-for-authentication/

我也看了这一个，但我不知道其他步骤需要什么/配置。

I also looked this one but I did not understand what other steps/configuration is needed.

<一个href=\"http://stackoverflow.com/questions/1322135/spring-security-authorization-without-authentication\">spring-security:不经认证授权

我真的AP preciate如果有人能够勾勒出了什么都是我需要实现Spring Security的，只有授权的项目。这是我想出了。

I would really appreciate if someone can outline what are all the items I need to implement Spring Security with Authorization only. This is what I came up with.

1）更新与弹簧3的安全POM，添加过滤器（我应该选择哪个过滤器）

1) Update pom with spring 3 security, add a filter (which filter I should pick)

2）自定义用户详细信息

2) Custom User Detail

3）自定义DaoAuthenticationProvider的时候

3) Custom DaoAuthenticationProvider

4）在注册应用程序的context.xml此自定义身份验证提供者

4) register this custom authentication provider in application-context.xml

5）注册的​​授权访问决策管理

5) register access decision managers for authorization

推荐答案

适合这种用例基的Spring Security类org.springframework.security.web.authentication。preauth.Abs​​tract preAuthenticatedProcessingFilter和org.springframework.security.web.authentication.$p$pauth.$p$pAuthenticatedAuthenticationProvider.

The base Spring Security classes suited for this use-case are org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter and org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.

在情况下，当前的认证库导致用户在标准的Java EE方式被认证（即呼吁在HttpServletRequest的getUserPrincipal（）实例返回验证用户的校长）你需要做的应该是类似的东西：

In case your current authentication library results in the user being authenticated in the standard Java EE way (i.e. calls to getUserPrincipal() on HttpServletRequest instance return the authenticated user's Principal) the things you need to do should be similar to:

1. 实现接口org.springframework.security.core.userdetails.UserDetailsS​​ervice哪些检查该用户存在于你的应用程序数据库，如果它不抛出UsernameNotFoundException



2. 添加以下设置Spring Security的：

1. Implement interface org.springframework.security.core.userdetails.UserDetailsService which checks that the user exists in your application database and throws UsernameNotFoundException if it doesn't

2. Add the following settings for the Spring Security:

<!-- Declare the user details for database check -->
<bean id="userDetails" class="com.yourpackage.DatabaseUserDetails"/>

<!-- Default empty auth manager -->
<security:authentication-manager alias="authenticationManager"/>

<!-- Use default settings from the jee namespace -->
<security:http>
    <security:jee mappable-roles="IS_AUTHENTICATED_FULLY" user-service-ref="userDetails"/>
</security:http>

配置您的Spring Security根据您的要求进行授权

Configure your Spring Security to perform authorization based on your requirements

安全：JEE初始化既是一个过滤器和认证供应商和插头用户服务的提供商

The security:jee initializes both a filter and authentication provider and plugs your user-service to the provider.

在情况下，你目前的身份验证库不使用Java EE的机制，你需要实现自己的哪知道如何识别用户已验证的摘要preAuthenticatedProcessingFilter的子类。

In case your current authentication library doesn't use Java EE mechanisms, you will need to implement your own subclass of the AbstractPreAuthenticatedProcessingFilter which knows how to recognize that the user has authenticated.

您会再与你自己的替换默认pre-auth的过滤器，这样的配置看起来像：

You would then replace the default pre-auth filter with your own, so the configuration would look like:

<!-- Declare the user details for database check -->
<bean id="userDetails" class="com.yourpackage.DatabaseUserDetails"/>

<!-- Define provider -->
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
  <bean id="userDetailsServiceWrapper"
      class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
    <property name="userDetailsService" ref="userDetails"/>
  </bean>
</property>
</bean>

<!-- Define alias for the authentication manager -->
<authentication-manager alias="authenticationManager">
   <security:authentication-provider ref="preauthAuthProvider" />
</authentication-manager>

<!-- Declare the custom filter -->
<bean id="authenticationFilter" class="com.yourpackage.AuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>

<security:http>
    <security:custom-filter ref="authenticationFilter" position="PRE_AUTH_FILTER"/>
</security:http>

您可以找到的 Spring Security的文档。

这篇关于没有认证春季安全授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！